1. COMP3371 Cyber Security Richard Henson University of Worcester October 2015

2. Week 5: Access Control using Active Directory n Objectives:  Explain the components of a network directory service  Analyse Windows active directory and compare it with an x500 standard service  Explain how the use of security policies can help prevent network internal security breaches  Apply security policies to a Windows Server setup

3. “Network Directories” & the PKI n Directories not to be confused with “folders”…  former is generally a data store that changes only infrequently… »e.g. a telephone directory  to avoid confusion, computer-based directories also called “repositories” n Lots of different “network databases” have evolved on the web  not a good idea!  often contain same info... one updated (e.g. someone’s address, all should be updated - but unlikely to be the case in practice

4. A Directory for the whole Internet? n Total solution:  use just one repository (meta directory) for that type of info (e.g. global telephone directory)  provide it on the web as a “directory service”  Use LDAP applications to directly access that info n Achieved through Distributed Directory…

5. Distributed Directory n Paper-based equivalent – series of telephone directories each covering a clearly define area  collectively cover a wide geographical region  serve a variety of purposes  all part of the same system for communication n Distributed directory on a computer network  Entry for an entity may appear in multiple directories  For example, one for each email system (if more than one)  For example, one for gaining access to the network by logging on n Directory synchronisation essential for tying the distributed directories together

6. Development of Internet Protocols: roles of IETF and IESG n IESG provides technical management of IETF activities  power to translate RFC proposals into RFC standards n Procedure:  draft RFC submitted  if accepted: IESG elevates it to RFC “draft” status  RFC then given consideration as a standard…  draft RFC eventually may become a true Internet standard n LDAP -> x509 good e.g. of successful evolution

7. X500 Architecture n Based on the OSI model  X500 agreed database spec: RFC 1006  allows OSI applications to run over IP network n Full X500 Architecture: »DMD (directory management domain) »DUA (directory user agents) »DIB (directory information base – object oriented!) n e.g: a directory service database »DIT (directory information tree) n a hierarchical organization of entries which are distributed across one or more servers »DSA (directory system agent[s]) n works with DIT across servers

8. X500 Protocols n DAP (Directory Access protocol) n DSP (Directory System protocol) n DISP (Directory Information Shadowing Protocol) n DOP (Directory operational binding management protocol) n Collectively:  wide range of functionality  structure cumbersome

9. Simplifying X500 - LDAP n Developed by University of Michigan Researchers, early 1990s  gave up on the complexities of X.500  came up with a scheme that: »retained the X.500 directory structure »gave it a streamlined access protocol based on standard TCP/IP instead of ISO  Other improvements: »pared-down referral mechanism »more flexible security model »no fixed replication protocol

10. Microsoft and LDAP n Microsoft wanted to get into the database server market, realised that Internet-compatibility was needed  needed X500 in its directory service planned for next version of NT  adapted Michigan Uni LDAP… n Microsoft helped build the original PKI service provider (Verisign) using the LDAP protocol n Also ODSI (Open Directory Services Interface):  allowed developers to build applications that register with, access, and manage multiple directory services with a single set of well-defined interfaces

11. Microsoft and x500 n 1996: launched Exchange v4 n email server n provided the infrastructure to enable DAP clients to access its directory service information… n Client-end X.500 DAP-compliant  Outlook as network client  Outlook Express as Internet client)  client for US gov defence messaging

12. Database for Exchange Server n Microsoft adopted/devised ESENT (Extensible Storage Engine… NT) database  arranged as a single file organised in a balanced B-tree hierarchical structure n Also used a new db engine ESE (JET blue) »uses ISAM (Indexed and Sequential Access) »manages data efficiently; crash recovery mechanism ensures data consistency is maintained even in the event of a system crash »in Windows as ESENT.DLL

13. X509 (Digital Certificates) n Digital Certificate store had to follow X500 standard to be “Internet compatible”  original X509 specification: RFC1422 (1993)  LDAP protocol for the “look up”  n Refined many times…  current version RFC5280 (2008)

14. LDAP, ESE, and Active Directory n According to Microsoft…  “Active Directory incorporates decades of communication technologies into the overarching Active Directory concept…” n Certainly a very successful commercial roll out of an X500 compliant directory service  also used (uses) ESE to manage data  and DNS to integrate with www locations  and LDAP to manage PKI requests…

15. Continuous Development of AD n Continued to work with IETF  Exchange v5 also used the ESE/LDAP/DNS enhancement…  each version of Windows Server extended the Active Directory services further…  even Group Policies managed through AD n Development continues…

16. Directory Services and AD n Active Directory has just one data store, known as the directory  stored as NTFS.DIT »where does “.dit” originate from?  distributed across ALL the domain controllers  links to objects on/controlled by each of the dc  changes automatically replicated to all dcs  Contains details of: »stored objects »shared resources »network user and computer accounts

17. AD, DNS, and Domain Trees n One great thing bout being Internet-compatible is that Active Directory can also logically link domains together  very useful for networks using > one domain  each domain in the directory is identified by a DNS domain name and requires one or more domain controllers n Multiple domains with contiguous DNS domain names, make up a parent-child structure known as a domain tree n If Domain names are non-contiguous, they form separate domain trees

18. “Trust Relationships” between Windows Domains & using DNS n System of account authentication between domains was established in the Windows NT architecture  but Windows NT trust relationships were isolated and individual n Active Directory enables trust relationships through DNS naming  users and computers can be authenticated between any domains

19. Active Directory Trust Relationships n Extends the principle…  domains can link together in a schematic way  To form “domain trees” n Trust relationships are automatically created between adjacent domains (parent and child domains) in the tree  users and computers can now be authenticated between ANY domains in the domain tree n So how does this all work securely in practice, across an entire enterprise????

20. Access Controls n Set of security mechanisms used to control what a user can do as a result of logging on to a secured environment  enforce “authorisation”  “identification” and “authentication” may also be associated with logging on n Effect includes:  access to systems, services & resources  interactions users can perform

21. Remote Logon and Kerberos Authentication n Another university: MIT n Series of KDC (Kerberos Distribution Centres)  each a secure database of authorised users, passwords & domain names  maintained using Kerberos V5 security protocol  uses strong encryption  freely available… n Active Directory + Kerberos = Very Powerful combination  Even used to authenticate across mobile & wireless networks

22. Components of “Enterprise wide” Login with kerberos authentication n Active Directory tree logical connects and “trusts” servers throughout the enterprise n Servers in their turn control access to users within domains n Group(s) selected during the user authentication process n Group Policy Objects invoked which rewrite registry settings and control client desktops

23. Users, Groups, Security, and NTFS partitions n Any file or folder on an NTFS partition will have file permissions imposed n Typical permissions:  No Access  Read only  Read and Execute  Write  Modify  Ownership/Full Control n Much wider range of permissions available

24. Point for debate: is “read only” access dangerous? n If information held on server, and accessed by dumb terminals…  secure enough!  this was the case in the days of centralised networks with no distributed processing n With client-server networking, read only means “the user can take a copy”  is this dangerous, from an organisational security point of view?

25. Principle of Least Privilege n Providing users with sufficient access to do their work…  but no more than that! n Privileges can also be applied temporarily to provide controlled flexibility n Even individual administrators can have the principle applied to them  if they have responsibility for particular resources…  shouldn’t have privileges relating to other resources not within their work remit

26. Groups and Group Policy n May be convenient for managers and administrators to put users into groups  Settings for group provides particular access to data & services n Problems…  user in wrong group(s)  group has wrong settings

27. The Registry and User Control n The Registry - a simple data store  has many user settings n Settings uploaded into memory on boot- up  easily overwritten by settings from policy files  policies can be used for groups of users  resultant policy controls the desktop

28. What is The Registry? n A hierarchical and “active” store of system and user settings viewable using REGEDT32.exe n Five basic subtrees:  HKEY_LOCAL_MACHINE : local computer info. Does not change no matter which user is logged on  HKEY_USERS : default user settings  HKEY_CURRENT_USER : current user settings  HKEY_CLASSES_ROOT : software config data  HKEY_CURRENT_CONFIG : “active” hardware profile n Each subtree contains one or more subkeys

29. Location of the Windows Registry n c:\windows\system32\config  “users” may be denied access n Six files (no extensions):  Software  System – hardware settings  Sam, Security »not viewable through regedt32  Default – default user  Sysdiff – HKEY USERS subkeys n Also: ntuser.dat file  user settings that override default user

30. Structure of an Active Directory Tree n A hierarchical system of organisational data objects n A Tree can be »single domain with org. units »group of domains

31. Domain, Trees & Forests n Domain objects divide into organisational units (OUs)  Microsoft recommend using OUs in preference to domains for imposing structure for admin purposes »flexibility to use either one domain or several… n “Forest” contains data needed to connect all objects in the tree even connect different trees n Logical linking creates “trusts” for remote users

32. Active Directory and DNS n DNS (Domain Name System)  Internet-based system for naming host computers n In Active Directory  each server in the tree has a unique IP address »but only domains can have a unique DNS identity »potential confusion when setting up domain structure!!

33. Managing Security Across a Directory Tree n Different admin levels:  domain admin: look after domain  enterprise admin: control all domains in the organisation! »justification of those large salaries? n Achieved through Group Policies…  users with different needs  but they had better be right !

34. Group Policy in Windows Networks n Group Policy settings define the various components of the user's desktop environment that a system administrator needs to manage:  programs that are available to users  programs that appear on the user's desktop  Start menu options n Group Policy Objects – used with authenticated users to enhance flexibility and scalability of security beyond “domains”, and “trusted domains” n Required level of trust achieved through:  Active directory “trees” based on DNS  Kerberos authentication

35. Implementation of Group Policy Objects n Group Policy Objects (GPO) are EXTREMELY POWERFUL…  contain all specified settings to give a group of users their desktop with agreed security levels applied  template editing tool available as a “snap-in” with Windows Servers »Policy provides a specific desktop configuration for a particular group of users n The GPO is in turn associated with selected Active Directory objects:  Sites, Domains, organizational units

36. Combined Power of Group Policies and Active Directory n Enables written user/group policies to be easily implemented in software n Enables policies to be applied across whole domains:  beyond in trusted contiguous domains in the domain tree  Or, using kerberos, even across any non- contiguous domains in the same forest